FruityArmor APT Exploits But One other Home windows Graphics Kernel Flaw

This is the second local privilege-escalation zero-day this APT group has exploited.

A just-patched zero-day vulnerability in win32k.sys – the Windows graphics kernel component – is at the heart of a probable sighting of the FruityArmor APT group – an under-the-radar cyberespionage gang active in the Middle East.

A recent campaign uncovered by Kaspersky Lab led researchers to the zero-day (CVE-2018-8453), which is a local privilege-escalation flaw that Microsoft fixed as part of Patch Tuesday for October this week. The APT group was seen using a high-quality exploit for the bug to execute the first stage of a malware installer – with the purpose of gaining the necessary privileges for persistence on the victim’s system.

When it comes to the chain of attack, “in the most basic scenario, and also the one we observed in the campaign, a successful attack with this flaw requires running a specially crafted application that contains an exploit for this vulnerability on the targeted machine,” Vladislav Stolyarov, malware analyst for Kaspersky Lab, told Threatpost.

Following successful exploitation, the payload (which is bundled with the malware installer) is a sophisticated implant used for stealing token information and acting as a backdoor.

“The second stage of the payload is a PowerShell backdoor that leads to a final malware payload we called ‘SoleDragon’ for one of the strings found in the sample,” Stolyarov said. “It is an advanced backdoor that allows an attacker to gain full remote control of an infected machine – to execute shellcode, commands, download subsequent stages of the malware, etc.”

The binary also uses Microsoft Background Intelligent Transfer Service (BITS) for communicating with its C2 servers, an unusual technique.

The exploit is also very stable and reliable, so it won’t really affect stability of the targeted machine, or result in a denial-of-service, which aid in anti-detection and persistence, Stolyarov noted. “But, this exploit would be much more powerful if used in conjunction with some other exploit – be it for a PDF reader or a web browser, as it may allow an attacker to escape a sandbox, for example in Acrobat Reader, to achieve full system privileges from an untrusted sandboxed process,” he said.

Stolyarov said that when it comes to the bar for exploitation, “triggering the vulnerability is not easy (as well as finding it though common methods like fuzzing and reverse engineering). But after triggering, the rest is easy and should be doable for a skilled vulnerability researcher.”

A Large Threat Surface

Millions of Windows machines are vulnerable to the flaw, the researcher told us: Notably, the exploit code that Kaspersky Lab found in the campaign is written with the aim of reliably exploiting as many different Microsoft Windows builds as possible, including Microsoft Windows 10 RS4.

“Every modern Windows machine is already supported in the sample we found, so I would say that a lot of organizations are being affected by this bug,” Stolyarov told Threatpost. “From reverse-engineering the code in the exploit sample, we can conclude that its developers tried to target as wide a user base as possible, as there are different exploitation procedures for a wide range of supported operating system versions and builds.”

For instance, the exploit for CVE-2018-8453 contains a number of different heap spray tactics – i.e., techniques for “spraying” the targeted process with objects in an effort to successfully reclaim a freed memory pool and execute arbitrary code.

It in fact includes five separate functions for spraying, Kaspersky Lab found, because the successful heap-spray procedure is different for various exploited Windows versions.

“For the latest supported version (Windows 10 RS4), the spray tactic is quite complicated,” researchers detailed in a posting on the bug on Wednesday. “The kernel is sprayed with bitmap objects of different size. This is required to exhaust the memory allocator to eventually bypass the low-fragmentation heap security mitigations that were significantly improved in the latest Windows builds.”

Despite the vastness of the vulnerability surface, the observed attack was highly targeted, affecting less than a dozen victims in the Middle East region, according to Kaspersky Lab telemetry.

Attribution and Victimology

As for attribution, Stolyarov told Threatpost that Kaspersky Lab in 2016 disclosed another local privilege-escalation vulnerability exploited by the same group in 2016. In that case, the researchers saw that the attackers were using a PowerShell backdoor.

“This group commonly uses Powershell, an automation and scripting language for Windows, something that was rarely seen back then,” he noted. “Two years later, with the latest CVE-2018-8453 we continue to see PowerShell scripts being used by the FruityArmor, at least for the initial payload.”

Researchers in the posting added, “There is also an overlap in the domains used for command-and-control between this new set of activity and previous FruityArmor campaigns.”

Taken together, the evidence gives researchers medium confidence that FruityArmor is indeed responsible for the attacks leveraging CVE-2018-8453.

That said, the researchers also found that the zero-day is similar to CVE-2017-0263, which was originally deployed by the Sofacy/APT 28 APT, in that it’s also a use-after-free problem in win32k. Stolyarov also said that it’s very alike in how it uses usermode callbacks to trigger the bug.

However, “overall…observed domains and payloads and some other indicators used in the campaign do not link to other APTs,” he said.

So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.

Nonetheless, FruityArmor´s activity has been slowly increasing during the last two years, and the extremely targeted nature of the attacks may help them fly below the radar.

“FruityArmor is a powerful threat actor that has been around for quite some time,” said Stolyarov. “The entry bar (from both the cost and the required skill aspects) to enter the zero-day scene have been raised significantly in the past few years due to all the efforts from software vendors and mitigations in the modern operating systems. Seeing a new Windows exploit from this group only reassures us that we can expect something else from them in the future.”